Modern compliance must regulate at faster rates to keep an organization always on-side and operating between acceptable safety, security, sustainability, quality, regulatory and ethical levels.
In an electrical circuit, voltage regulation (maintaining a consistent voltage level) is achieved using a feedback process that measures the output to adjust the circuit to remove variation from the output.
In modern switch-mode power supplies this happens at a frequency between 20,000 to 2 million cycles per second. In theory, the frequency of regulation is chosen to be fast enough to maintain variation in the output within acceptable levels.
The greater the variation in input voltage the higher the regulation frequency needs to be.
This is not unlike how audit-correction cycles work.
In theory, audits and corrections should happen as frequently as necessary to maintain adherence to standard within acceptable levels.
The number of days spent operating outside the lines along with the time it takes to return to acceptable levels are measures of compliance effectiveness and performance respectively.
However, what many don't consider is:
The more often things change, the higher the frequency of audits need to be.
Let’s assume you audit conformance to prescribed controls once every year. It's therefore possible to be off-side for an entire year before it’s noticed plus the time it takes to correct the deviation – hopefully before the next audit.
In the worst case, it could be two years before you get back on-side.
What impact would being off-side for two-years have on your operations?
That’s why audits are often too slow and too late to protect value creation.
Never mind that audits seldom evaluate effectiveness against targeted compliance goals and outcomes.
As change can be a significant source of risk, organizations in highly regulated, high-risk sectors use a Management of Change (MOC) process to keep up with the speed of risk due to planned changes. This process functions as a real-time compliance regulator to keep an organization always operating between the lines.
Here are a few questions to consider when planning your compliance:
How long do you wait before knowing when you are off-side?
What are acceptable levels of effectiveness and performance for compliance?
What capabilities and capacities do you need to regulate your compliance to meet your measures of success?
What strategies can you apply to always stay between the lines?